myITforum.com Community Forum myITforum.com Community Forum

Home  Forums  Blogs  Live Support chat  Search Articles  Wiki  FAQ  Email Lists  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

All Forums RSS Feed Subscription:


  


restrict software deployment to servers

 
View related threads: (in this forum | in all forums)

Logged in as: Guest
  Printable Version
All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager >> restrict software deployment to servers Page: [1]
Login
Message << Older Topic   Newer Topic >>
restrict software deployment to servers - 11/4/2008 4:10:42 PM   
smckenney190

 

Posts: 36
Score: 0
Joined: 8/26/2005
Status: offline 		Our environment requires us to have a separation of duties when it comes to servers and workstations.  We have an admin that does all the config and deployments for workstations.  Since our site is also a software update point, when we point our servers to it of r windows updates, our server will start installing SCCM clients on them.  However, we do not want our other admin to accidentally start pushing things he shouldn't to the servers by mistake. We want to start getting clients on anyway, but does anyone have ideas how we could limit access? We probably wouldn't even use SCCM for software distribution on servers, so disabling it might be an option.  But ideally, we would like to completely limit a set of resources.
Post #: 1
RE: restrict software deployment to servers - 11/4/2008 4:20:51 PM   
hcortez463


Posts: 793
Score: 65
Joined: 4/8/2005
Status: offline 		well you can created a delegation modle in SCCM and grant him\her access to predified collectoins.  that only contain WS and not servers. 

_____________________________

If it Helps, Please rate....

(in reply to smckenney190)
Post #: 2
RE: restrict software deployment to servers - 11/5/2008 5:20:52 PM   
mreavis


Posts: 783
Score: 77
Joined: 9/10/2002
From: Olathe, Kansas
Status: offline 		I had originally built our site not to deploy software to servers, however, when I came into the group that managed them that changed. These are the pieces I had in place that worked very well:
another item you can do is to create a maintenance window on one of the server collections that will limit when software gets installed. Just do not forget you put it there. so long as the advert is not set to override you willl be fine.

If all of your servers are on a different subnet from the desktops, ensure there are no DPs that serve that subnet


As cortez mentioned, if you have to lock it down, you are going to have to remove all class rights to the collections for distribute, and go down the list one at a time and grant them to the correct account/group.


_____________________________

Michael Reavis
SMS Admin
MCSE, MCDBA, MCDST
Johnson County Goverment

(in reply to hcortez463)
Post #: 3
RE: restrict software deployment to servers - 11/7/2008 10:43:01 AM   
ssign

 

Posts: 5
Score: 0
Joined: 7/29/2008
Status: offline 		In your collection use the query to name the subnets or the computer names that you do not want to be included in any advertisements.
NetbiosName !=  (! is Does Not, =  is Equal)
IPsubnet is not like
You may even be able to use the % variable...

(in reply to mreavis)
Post #: 4
RE: restrict software deployment to servers - 11/7/2008 1:06:16 PM   
smckenney190

 

Posts: 36
Score: 0
Joined: 8/26/2005
Status: offline 		I found a solution that works pretty well.  In the SCCM Help i found a bit that explains the user rights and the differences between adminsiter and delgate.  Rather than having that group administer collections, i give only delegate and create rights to the class, and then if i give instance rights to the Workstations collection, they can create new collections based on the ones that have instance rights defined (i.e workstations).  This will allow them to manage the collections that they create (and those get the instance rights that i had defined), but not the others. Since the do not have read access to any collection with server resources, they will not be able to advertise to them...problem solved!

(in reply to ssign)
Post #: 5
RE: restrict software deployment to servers - 11/12/2008 1:17:19 PM   
esalmin

 

Posts: 17
Score: 0
Joined: 8/14/2007
Status: offline 		You can install a separate SCCM hierarchy for managing servers.

(in reply to smckenney190)
Post #: 6
Page:   [1]
All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager >> restrict software deployment to servers Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts



  
Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.250